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Amendments to the Claims : 

This listing of claims will replace all prior versions, and listings, of claims in the application: 



1 . (Currently Amended) A method for isolating a plurality of ports sharing a single virtual 
local area network (VLAN) on a layer 2 switch, wherein the single VLAN is a group of devices 
within a local area network, at least one device in the group not belonging to any other VLAN, 
the method comprising: 

configuring each of said plurality of ports by a user on said layer 2 switch as a protected 
port or a non-protected port; 

matching a destination address on a data packet with a physical address on said layer 2 
switch, said data packet received by an ingress port; 

generating a forwarding map for said data packet based upon said destination address on 
said data packe t, wherein the generating further includes allowing said data packet to be 
forwarded from a protected port to a non-protected port while preventing said data packet from 
being forwarded to another of said protected ports : and 

sending said data packet to said plurality of ports pursuant to said forwarding map. 

2. (Original) The method of claim 1 wherein said generating step further comprises sending 
said data packet to each of said non-protected ports if said destination address is not matched 
with said physical address and said ingress port is a protected port. 
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3. (Original) The method of claim I wherein said generating step further comprises sending 
said data packet to all of said plurality of ports if said destination address is not matched with 
said physical address and said ingress port is a non-protected port. 

4. (Canceled) 

5. (Original) - The method of claim 1 wherein said generating step further comprises 
allowing said data packet to be forwarded from one of said non-protected ports to another of said 
non-protected ports b e tween oach - of said non prntnfitnrf ports 

6. (Canceled) 

7. (Canceled) 

8. (Currently Amended) A program storage device readable by a machine, tangibly 
embodying a program of instructions executable by the machine to perform a method for 
isolating a plurality of ports sharing a single virtual local area network (VLAN) on a layer 2 
switch, wherein the single VLAN is a group of devices within a local area network, at least one 
device in the group not belonging to any other VLAN, said method comprising: 

configuring each of said plurality of ports by a user on said layer 2 switch as a protected 
port or a non-protected port; 

matching a destination address on a data packet with a physical address on said layer 2 
switch, said data packet received by an ingress port; 
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generating a forwarding map for said data packet based upon said destination address on 
said data packe t, wherein the generating farther includes allowing said data racket to be 
forwarded from a protected port to a non-protected port while preventine said data packet from 
being forwarded to another of said protected ports: : and 

sending said data packet to said plurality of ports pursuant to said forwarding map. 

9. (Currently Amended) An apparatus for isolating a plurality of ports sharing a single 
virtual local area network (VLAN) on a layer 2 switch, wherein the single VLAN is a group of 
devices within a local area network, at least one device in the group not belonging to any other 
VLAN, the apparatus comprising: 

a port configurer to configure said plurality of ports as a protected port or a non-protected 

port; 

an address table memory storing an address table, said address table having a destination 
address and port number pair; 

a forwarding map generator generating a forwarding map; and 

said forwarding map responsive to a destination address of a data packet so that the data 
packet is forwarded either to a port number paired with the destination address in said forwarding 
table, or if not so paired, said data packet is forwarded to each of said non-protected ports on said 
switch and said data packet is prevented from being forwarded to a protected port if an mgress 
port is protected or if said ingress port is non-protected, said data packet is forwarded to ail of 
said plurality of ports. 
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10. (Original) The apparatus of claim 9 wherein said incoming packet is forwarded from one 
of said non-protected ports to other non-protected ports. 

11. (Canceled) 

12. (Canceled) 

13. (Currently Amended) An apparatus for isolating a plurality of ports sharing a single 
virtual local area network (VLAN) on a layer 2 switch, wherein the single VLAN is a group of 
devices within a local area network, at least one device in the group not belonging to any other 
VLAN, the apparatus comprising: 

means to configure each of said plurality of ports on said layer 2 switch as a protected or 
non-protected port; 

means to match a destination address on a data packet with a physical address on said 
layer 2 switch, said data packet received on an ingress port; 

means to generate a forwarding map for said data packet based upon said destination 
address on said data packe t, wherein the generating further includes allowing said data packet to 
be forwarded from a protected port to a non-protected port while preventing said data packet 
from being forwarded to another of said protected ports : and 

means to send said data packet to said plurality of ports pursuant to said forwarding map, 

14. (Original) The apparatus of claim 13 wherein said means to generate a forwarding map 
further comprises a means to forward said data packet to each of said non-protected ports if said 

5 

PAGE 6/13 * RCVD AT 3121/2006 3:31:21 PM [Eastern Standard Time] " SVR:USPTO-EFXRF-2/6 * DNIS:2733093 " CSID:4082878040 " DURATION (mm-ss):03-32 



03-21-06 12:34 From-Thsl an.Rsi d, APr i ast LLP 4082878040 T-481 P. 007/013 F-642 

Docket Na. CISCO-2828 



destination address is not matched with said physical address and said ingress port is a protected 
port. 

15. (Original) The apparatus of claim 13 wherein said means to generate a forwarding map 
further comprises a means to forward said data packet to all of said plurality of ports if said 
destination address is not matched with said physical address and said ingress port is a non- 
protected port. 

16. (Canceled) 

17. (Currently Amended) The apparatus of claim 13 wherein said means to generate a 
forwarding map further comprises means to allow said data packet to be forwarded from one of 
said non-protected ports to another b etwe e n each of said non-protected ports, 

18. (Canceled) 

19. (Canceled) 

20. (Currently Amended) A method for isolating a plurality of ports sharing a single virtual 
local area network (VLAN) on a layer 2 switch, wherein the single VLAN is a group of devices 
within a local area network, at least one device in the group not belonging to any other VLAN, 
the method comprising: 
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maintaining a state for each of said plurality of ports on said layer 2 switch as a protected 
port or a non-protected port; 

matching a destination address on a data packet with a physical address on said layer 2 
switch, said data packet received by an ingress port; 

generating a forwarding map for said data packet based upon said destination address on 
said data packe t, wherein the generating further includes allowing said data packet to be 
forwarded from a protected port to a non-protected port while preventing said data packet from 
being forwarded to another of said protected ports: and 

sending said data packet to said plurality of ports pursuant to said forwarding map. 

21 . (Original) The method of claim 20 wherein said generating step further comprises 
sending said data packet to each of said non-protected ports if said destination address is not 
matched with said physical address and said ingress port is a protected port. 

22. (Original) The method of claim 20 wherein said generating step further comprises 
sending said data packet to all of said plurality of ports if said destination address is not matched 
with said physical address and said ingress port is a non-protected port. 

23. (Canceled) 

24. (Currently Amended) The method of claim 20 wherein said generating step further 
comprises allowing said data packet to be forwarded from one of said non-protected ports to 
another b ot w oo a^ o ae h of said non-protected ports. 
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25. (Canceled) 

26. (Original) The method of claim 20 wherein said generating step further comprises 
allowing said data packet to be forwarded between one of said non-protected ports to each of said 
protected ports. 

27. (Currently Amended) A program storage device readable by a machine, tangibly 
embodying a program of instructions executable by the machine to perform a method for 
isolating a plurality of ports sharing a single virtual local area network (VLAN) on a layer 2 
switch, wherein the single VLAN is a group of devices within a local area network, at least one 
device in the group not belonging to any other VLAN, said method comprising: 

maintaining a state for each of said plurality of ports on said layer 2 switch as a protected 
port or a non-protected port; 

matching a destination address on a data packet with a physical address on said layer 2 
switch, said data packet received by an ingress port; 

generating a forwarding map for said data packet based upon said destination address on 
said data packe t wherein the generating further includes allowing said data packet to be 
forwarded from a protected port to a non-protected port while preventing said data packet from 
being forwarded to another_of sjaiiLpro'tected ports : and 

sending said data packet to said plurality of ports pursuant to said forwarding map. 
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28 (Currently Amended) An apparatus for isolating a plurality of ports sharing a single 
virtual local area network (VLAN) on a layer 2 switch, wherein the single VLAN is a group of 
devices within a local area network, at least one device in the group not belonging to any other 
VLAN, the method comprising: 

means for maintaining a state for each of said plurality of ports on said layer 2 switch as a 
protected port or a non-protected port; 

means for matching a destination address on a data packet with a physical address on said 
layer 2 switch, said data packet received by an ingress port; 

means for generating a forwarding map for said data packet based upon said destination 
address on said data packe t wherein the generating further includes allowing said data packet to 
be forwarded from a protected port to a non-protected port while preventing said data packet 
from being forwarded to another of said protected ports; and 

means for sending said data packet to said plurality of ports pursuant to said forwarding 

map. 

29. (Previously Presented) The apparatus of claim 28 wherein said means for generating 
further comprises means for sending said data packet to each of said non-protected ports if said 
destination address is not matched with said physical address and said ingress port is a protected 
port. 

30. (Previously Presented) The apparatus of claim 28 wherein said means for generating 
further comprises means for sending said data packet to all of said plurality of ports if said 
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destination address is not matched with said physical address and said ingress port is a non- 
protected port. 

31. (Canceled) 

32. (Currently Amended) The apparatus of claim 28 wherein said means for generating 
further comprises means for allowing said data packet to be forwarded from one of said non- 
protected ports to another of said b etw ee n e ach of said non-protected ports. 

33. (Canceled) 

34. (Canceled) 

35. (Currently Amended) An apparatus for isolating a plurality of ports sharing a single 
virtual local area network (VLAN) on a layer 2 switch, wherein the single VLAN is a group of 
devices within a local area network, at least one device in the group not belonging to any other 
VLAN, the apparatus comprising; 

a state maintenance module configured to maintain a state for each of said plurality of 
ports on said layer 2 switch as a protected port or a non-protected port; 

a destination address matching module coupled to said state maintenance module and 
configured to match a destination address on a data packet with a physical address on said layer 2 
switch, said data packet received by an ingress port; 

a forwarding map generator coupled to said destination address matching module; and 

10 

PAGE 11/13* RCVD AT 3/21/2006 3:31 :21 PM [Eastern Standard Time] ' SVR:USPTO-EFXRF-2/6 * DNIS:2733098 * CSID:4082878040 * DURATION (mm-ss):03-32 



03-21-06 12:36 Fron-Thelen.RaiiUPr last LLP 4082878040 T-481 P. 012/013 F-642 

Docket No. CISCO-2S28 

a data packet sending module coupled to said foiwarding map generator and configured 
to send said data packet to said plurality of ports pursuant to said forwarding map while 
preventing said data packet from being forwarded from an ingress prote cted port to another of 
said protected ports . 

36. (Previously Presented) The apparatus of claim 35 wherein said forwarding map generator 
is configured to send said data packet to each of said non-protected ports if said destination 
address is not matched with said physical address and said ingress port is a protected port. 

37. (Previously Presented) The apparatus of claim 35 wherein said forwarding map generator 
is configured to send said data packet to all of said plurality of ports if said destination address is 
not matched with said physical address and said ingress port is a non-protected port, 

38. (Canceled) 

39. (Currently Amended) The apparatus of claim 35 wherein said forwarding map generator 
is further configured to allow said data packet to be forwarded from one_of said non-protected 
ports to another of b otwoon each of said non-protected ports. 

40. (Canceled) 

41. (Canceled) 
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